Removing Malware

On an infected computer, users should try to remove the malware using the computer’s antivirus and antispyware software. The steps listed below provide general guidance for attempting to remove malware.⁹¹ Vendors of antivirus and antispyware software often provide detailed instructions for removing malware, such as specific steps for removing a particular virus or worm. Once the specific type of malware on a system has been identified, consider checking the antivirus and antispyware software vendors’ Web sites for more suggestions on how to remove

90 As described in Section 3.3.1, the Windows Malicious Software Removal Tool is a free utility provided by Microsoft that users can run to identify and eliminate certain common instances of malware.

91 An additional source of general guidance for removing malware is Recovering from a Trojan Horse or Virus by Michael Durkota of US-CERT, available at http://www.us-cert.gov/reading_room/trojan-recovery.pdf.

it. If the antivirus or antispyware software has specific removal procedures, these should be followed instead of the general guidance below.

Before attempting to remove malware, users should perform a backup of their critical personal data in case the malware or the malware removal process causes damage to the data. Directions on performing backups are provided in Section 4.2. Users should be cautious with the backups because they might contain malware-infected files. Once all malware has been removed from the computer and the antivirus and antispyware programs are fully updated, the backup media should be fully scanned by the antivirus and antispyware programs to determine if any of the files are infected.

Follow these steps to attempt to remove malware:

1. Have the antivirus and antispyware software check for updates to verify that they are fully up-to-date. If any updates are available, apply them.⁹²

2. Close all of the applications running on the computer except for security tools such as antivirus software, antispyware software, and personal firewalls. Applications that should definitely be closed include Web browsers, e-mail clients, office productivity tools, and instant messaging clients.

3. Disconnect all of the computer’s network connections. This could include one or more of the following:

 Disconnecting a call made by a telephone modem

 Unplugging a network cable from the computer

 Disabling a wireless network card. To do so, perform the following steps:

a. From the Control Panel, double-click on Network Connections.

b. Right-click the wireless network card and select Disable.

c. Close the Network Connections window.

4. Turn off the System Restore feature, because it can cause malware that is removed from the computer to be restored inadvertently.

a. Right-click on My Computer, then choose Properties.

b. Click the System Restore tab. Select Turn off System Restore.

c. Click on Apply, then Yes, then OK.

92 If the computer is disconnected from the network, or can no longer be connected to a network, the antivirus software and antispyware software could possibly be updated by downloading the updates from an uninfected computer, placing them onto removable media (e.g., CD), and using the removable media in the infected computer to update the antivirus and antispyware software.

5. Run the antivirus software, antispyware software, or specialized malware removal tool.

Follow the vendor’s instructions to perform a full scan and to remove any malware from the computer (including disinfecting or quarantining all infected files).

6. Based on the results of the scan listed below, perform the appropriate actions:

 Malware was found and eliminated or quarantined. Perform another full scan to confirm that there is no longer any malware on the computer. If no malware is present, go to Step 7. If malware is found, start Step 6 again.

 Malware was found but could not be eliminated or quarantined. Certain types of malware can only be removed when the computer is booted in safe mode. To run the scanning software from safe mode, perform the following steps:

a. Reboot the computer. As soon as the initial hardware self-test is done, press the F8 key. This should cause the Windows Advanced Options menu to be

displayed.

i. If the menu is displayed, choose Safe Mode.

ii. If the menu is not displayed, reboot the computer again and hit the F8 key repeatedly shortly after the computer restarts. When the menu is displayed, choose Safe Mode.

b. Perform a full scan. The malware should be eliminated or quarantined during the scan.

c. After the scan has completed, perform another scan to confirm that no more malware is remaining.

 The scan failed or could not be performed. The malware might be interfering with the scanning. Perform steps 6a through 6c as listed above.

7. Once all malware is removed from the computer, re-enable System Restore:

a. Right-click on My Computer, then choose Properties.

b. Click the System Restore tab. Uncheck the Turn off System Restore option.

c. Click on Apply, then Yes, then OK.

8. Reconnect the network connections. This could include one or more of the following:

 Making a phone call with a telephone modem

 Plugging a network cable into the computer

 Enabling a wireless network card. To do so, perform the following steps:

a. From the Control Panel, double-click on Network Connections.

b. Right-click the wireless network card and select Enable.

c. Close the Network Connections window.

9. Update all antivirus and antispyware software on the computer. It may be necessary to perform multiple updates, since some updates need to be applied consecutively. Also, check the configuration of the antivirus and antispyware software to ensure that it corresponds to the guidance provided in Section 3.3.1.

If all malware cannot be removed from the computer, seek expert assistance, as described in Section 8.5.1. If the malware cannot be removed completely from the computer by an expert, or the malware causes serious damage to the computer’s operating system, it might be necessary to reinstall Windows XP Home Edition and all applications, and restore user data from backups. Continuing to operate a computer that is infected with malware could cause other computers to become infected, other files and data to become damaged or destroyed, and personal data such as passwords, credit card numbers, and PIN numbers to be provided to unauthorized parties.

6.4 Secure the Computer

If the scans described in Section 6.3 indicate that the computer does not have any malware, or the scans are successful at removing all malware from the computer, the user should continue securing the computer using the directions presented in Section 5, starting with Section 5.2. The major steps presented in Section 5 for securing the computer are as follows:

1. Apply updates to Windows XP Home Edition, and configure it to update itself automatically in the future.

2. Install and configure additional security software, such as antivirus software and a personal firewall.

3. Alter the default Windows XP Home Edition configuration to further improve security.

4. Document the installed software applications for future use in troubleshooting problems.

If all malware cannot be removed from the computer, the user should seek expert assistance, as described in Section 8.5.1, or follow the directions in Section 8.5.2 for attempting to recover the system (e.g., restoring it from a backup, reinstalling Windows XP Home Edition).

6.5 Summary

Although it is usually preferable to secure a new installation of Windows XP Home Edition, users may decide in some cases that it is more convenient to secure an existing installation instead. Because the security state of a previously used installation is often unknown, it may take considerable time to determine if the computer has been infected with malware or attacked

successfully in other ways. If the computer has suffered serious damage, it may be necessary to reinstall Windows XP Home Edition and secure the new installation instead.

Before beginning to secure an existing installation, a user should perform preparatory actions, including gathering needed materials, setting the default view for Control Panel, and identifying the service pack currently in use. The next step is to assess the current state of the security of the computer; the main focus of this is ensuring that security software is installed and up-to-date, as well as checking its configuration. The computer should then be scanned for malware, and all identified malware removed. The security of the computer needs to be maintained on an ongoing basis, as described in Section 8.

This page has been left blank intentionally.